Working Papers
External Assessors must create working papers based on the artifacts collected during the validated assessment which were used to support the External Assessor’s review and validation of the Assessed Entity’s scoring.
11.3.1 Each requirement statement that includes sample-based testing must have a testing lead sheet. The testing lead sheet must:
- Reference the population evidence (including creation date and source)
- Include the population size, population date range and sample size
- Document the sampling approach
- List the attributes tested (addressing all illustrative procedure elements / evaluative elements within the requirement statement) including description of the test procedure
- List the items selected for testing (with identifier back to the population and references to evidence for each sampled artifact)
- Include the results of testing for each sampled item and corresponding attribute(s)
11.3.2 For the Policy and Procedure PRISMA levels, there must be clear references to the evidence supporting the scores. The Assessed Entity or External Assessor should map each requirement statement’s evaluative element to the location within the document (e.g., section, page #, paragraph, etc.) where it describes the corresponding policy and/or procedure.
11.3.3 For the Measured and Managed PRISMA levels, there must be clear references to the supporting measure(s), metric(s) and/or risk treatment plan supporting the scores. Additionally, documentation must demonstrate how criteria of a measure, metric, or risk treatment plan were achieved (for criteria, see Chapter 9.4 Measured Maturity Level and Chapter 9.5 Managed Maturity Level). In cases where sampling was performed the same testing lead sheet requirements in criteria 11.3.1 must be followed, along with all requirements in Chapter 11.4 Population & Sampling.
Evidence
Evidence must be collected during the assessment to support the scores documented within the assessment.
Evidence is the information obtained by performing procedures during a HITRUST assessment. Evidence may include distinct types of information that influence the nature and/or extent of audit procedures needed to reach a conclusion on the requirement statement score. The various types of information include:
- Verbal information: Information obtained via responses to inquiries during the assessment.
- Observed information: Information obtained via observation (e.g., datacenter visit or a screenshot of a system configuration setting observed on a screen).
- Paper documents: Information obtained using documents (e.g., an original IT Service Level Agreement or a policy/procedure).
- Electronic information: Information obtained using electronic documents (e.g., a scanned version of a signed approval form) or data stored in an IT system (e.g., system-generated user access lists or change tickets from a ticketing system).
HITRUST has specific requirements related to evidence used during an assessment as indicated below.
11.3.4 Persuasiveness of the evidence relates to the External Assessor obtaining appropriate evidence that is sufficient for the auditor to draw reasonable conclusions. The External Assessor may rely on evidence that is persuasive rather than conclusive. The External Assessor must use professional judgment and professional skepticism in evaluating the quantity and quality of the evidence, and thus its sufficiency and appropriateness, to support the results.
11.3.5 The External Assessor must obtain more than verbal information to obtain sufficient evidence to support its procedures. Inquiry alone does not provide sufficient evidence to evaluate the maturity level of the corresponding requirement statement.
11.3.6 Evidence is more reliable (and persuasive) if there are multiple items of consistent supporting evidence obtained from different sources or of a different nature than from evidence considered individually. For example, corroborating information by observing a wireless access point in a data center may increase the reliability of a network diagram obtained from management containing the wireless access point. Alternatively, when evidence obtained from one source is inconsistent with that obtained from another, additional procedures must be performed to reconcile the discrepancy.
11.3.7 All evidence collected that supports the requirement statements scores within a validated assessment must be uploaded to MyCSF and properly referenced within the Test Plan and/or MyCSF. A validated assessment’s collective body of working papers is considered incomplete if validation of only a portion of an assessment’s scope and/or requirement statements are reflected in the working papers. The only exception is if the assessment will be undergoing Live QA (see Chapter 14.3 Live QA).
11.3.8 Observations and inspections used to support scoring must be performed within the fieldwork period (e.g., configuration screenshots, system parameters, audit logs, etc.). Evidence provided by the Assessed Entity to the External Assessor supporting those observations and inspections must include a corresponding date within the fieldwork period.
11.3.9 Policy and procedure documents used to support scoring must be current, final (non-draft), and periodically reviewed by the Assessed Entity in accordance with its requirements. The documents attached as evidence in MyCSF must include all relevant sections of the final, approved policy or procedure documents to support scoring of the corresponding requirement statements.
11.3.10 Policy and procedure documents may be obtained by the External Assessor prior to the start of the fieldwork period but must be reviewed and validated by the External Assessor within the fieldwork period.
11.3.11 External Assessors must link supporting evidence individually to each of the related requirement statements as well as the related PRISMA maturity level(s) within MyCSF. The External Assessor may not:
- Only list and/or reference the supporting evidence in a Test Plan and/or lead sheet (instead of linking the evidence in MyCSF).
- Use zip files that contain all evidence for a particular domain and/or requirement statement.
- Embed all evidence for a particular domain and/or requirement statement within a spreadsheet.
11.3.12 The External Assessor must include evidence documenting the date when each evidence artifact was generated. For each type of evidence, this date will be:
- Verbal Information: Date of the inquiry response
- Observed Information: Date of the observation
- Paper Documents: Date when the document was provided by the Assessed Entity
- Electronic Information: Date when the electronic record or system-generated report/document was generated by the corresponding system of record.
11.3.13 Evidence is expected to be submitted in English. Where translations of all evidence are not possible, the Assessed Entity and/or External Assessor must provide written translations from a translation service for all items selected for review during the Quality Assurance process.
11.3.14 The MyCSF assessment object will continue to retain all working papers and evidence until expiration of the certification. Assessed entities will not be able to delete the object and/or evidence within the object until expiration of the certification. For details on the HITRUST data retention policy, see Chapter 5.1 Validated Assessment Workflow, Assessment Object Archiving.
11.3.15 Assessed entities may be able to archive an assessment prior to certificate expiration with approval from HITRUST. However, HITRUST will continue to retain access to the assessment evidence and work papers until expiration of the certification. For archiving approval prior to expiration of the certification, the Assessed Entity must contact HITRUST Support with its rationale for the request.